On Thu, 2008-09-18 at 11:18 -0400, Scott Kitterman wrote:
> On Thursday 18 September 2008 10:02, Shevek wrote:
> > Hi,
> >
> > People are asking me about making this vuln public. How long do you want
> > until you're ready to roll with a fix? You'll still need most of
> > Magnus's debian patches if you're only replacing that one file.
> >
> > S.
>
> For Ubuntu, I can probably get inputs to the security team today. They
> generally need 24-48 hours to get things rolled out. Unfortunately I'm
> leaving town in the morning and will be off the grid for a week (I'd thought
> this would wait until I got back). The Ubuntu development release doesn't
> promise any level of security goodness, so I'll get 1.2.6 into it once I get
> back (hopefully via Debian if Magnus gets it uploaded).
>
> I'll give the Ubuntu security team your name/address as a POC in my absence
> and make sure you know who to email before I go.

I'm still waiting to hear back from Dan, but CERT want to make this into
a CVE. I'm also travelling for work next week, although I'll be on
email, I hope.

I'm tempted to put this out as a quiet security update in both
distributions, preferably in advance of the fanfare, I don't want a CVE
coming out before Debian have released the patch. On the other hand, I
have agreed to wait for Dan.

I've run out of time. I'll be offline from Friday or Saturday until the following Saturday or Sunday. Shevek has kees and jdstrand's email addresses and is supposed to mail you when it can be release. These are simple diffs to bring the affected file up to the proposed 1.2.6 version. Clearly it can be reduced. Magnus Holmgrem, the Debian Maintainer is working on a minimal patch. Attached is the non-reduced diff for the security fixes for all current distros. For Feisty - Intrepid they are to be applied after the last current patch for each release. Dapper has no patch system, so it's just a direct diff.

I'm back online with no word on when this goes public. As you can see, there is a CVE number now. Sunday PM or Monday I'll be able to roll actual debdiffs based on the reduced patch it looks like Debian will use.

Intrepid. This one I installed and tested using spfquery and it works. I did not try to recreate the exploit. Dan Kaminsky reviewed the upstream changes this patch is based on and this patch, so I'm not about to second guess him.

Thanks for your hard work Scott. I have been able to find libspf2-1.2.8.tar.gz on the net, which includes these patches, so I am going to mark this public.

Couple of things:
1. the dapper debdiff should use 1.2.5-3ubuntu0.1 as the version
2. the uploaded hardy debdiff was actually the intrepid debdiff
3. we now use a different changelog format as per https://wiki.ubuntu.com/SecurityUpdateProcedures. This won't affect this upload, but thought you'd like to know

I have adjusted the dapper version and created a hardy debdiff based on intrepid, since they are both based on version 1.2.5.

I also just noticed that hardy and gutsy both have a release version of 1.2.5.dfsg-4. Therefore, the gutsy update should have 1.2.5.dfsg-4ubuntu.0.7.10.1 and hardy 1.2.5.dfsg-4ubuntu.0.8.04.1. I'll fix that as well and upload shortly.